A verdict was handed down in Germany in a case that dates back to 2021. A German programmer, while working to troubleshoot problems in Modern Solution's software, discovered a vulnerability that allowed him to gain access to the data of 700 thousand of the company's clients. He contacted Modern Solution, after which the company closed the vulnerability and sued the programmer, accusing him of illegal access to data.
According to the materials presented, at the time of the incident the programmer was a freelance IT consultant and was working with Modern Solution software on behalf of the company itself. During the work, it turned out that the client software establishes a MySQL connection with the head server using the password written in the MSConnect.exe executable file in plaintext format. The programmer believed that during a test connection to the database he would only find the data of his customer directly, but he gained access to the data of all 700 thousand of his customers. According to him, upon realizing this, he immediately disconnected the connection to the database and reported the problem to Modern Solution.
After the vulnerability was fixed, information about it describing the essence of the problem appeared on the network. Modern Solution also issued a notice about the leak. Because the company's program files were freely available, almost anyone could access the data in the database, and perhaps even did, but did not report the problem to the company.
Modern Solution fixed the vulnerability and reported the programmer to the police, accusing him of decompiling an executable file, illegally obtaining a password and accessing client data. In addition, the organization’s top managers stated that the accused himself had previously worked at JTL, a former partner of Modern Solution, with whom the company’s relationship had soured, and that he gained access to the password thanks to insider knowledge obtained at JTL. Thus, Modern Solution explained the presence of malicious intent.
During a long trial in 2023, the programmer was initially acquitted, taking into account the evidence presented of the low level of protection of the Modern Solution software and that the password was almost “in the public domain,” but the case soon went to the appeal court. On January 17 this year, the court found the programmer guilty under Article § 202a of the country’s Criminal Code and fined him €3,000 (the prosecutor’s office initially asked for €5,400). The prosecutor's office considered it proven that the accused tried to cause damage to the company. In addition, the very fact of having a password, even a poorly protected one, already indicates the presence of protection and falls under the appropriate article according to the indictment. The fact that access was obtained as part of a functional test at the request of the affected party was not a justification.